Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 258
  • Last Modified:

Password Security

I have a reasonably well encripted login page (java applet) but I'm not sure how to protect the target page / frameset from being bookmarked and then called direct bypassing the login page. Is there a javascript which I can place in the target frameset which will automatically divert surfers to the login page if it hasn't been called from there.

Every site I've visited seems to be able to do this so I'm probably asking a stupid question.


4 Solutions
This simple question needs maybe a little difficult answer.

First, if I have understood your question, you have in major 2 pages. First is that login (login.html or so) and second is where are users redirected when they entered correct username/password.

So you have to do one of the following:

1. you can use COOKIES to determine if user is logged or not (cookie is set if he is and not if he's not). This solution is although a little unsecure. This is because not all browsers support cookies and a lot of them (especially somewhere in public places) have cookies disabled dues to security reasons.

2. you can use database to write current user's IP and determine if request comes from that IP. If it came, then the user is logged in. If not, just display the login page. This is also not 100% acceptable for developers because IP can be dynamically changed by provider (especially if user is connected via phone).

3. you can set random SESSION ID for each logged user, which you can write to DB instead of IP. This can be deleted if user is inactive 30 minutes or so or if he/she click the LOGOUT link. This is simmilar to point 2. Only change is SESSION ID instead of IP which can change.

... if some1 know another solution, we will be gratefull to recieve it. Because all of these solutions are valid but a little unconfortable.


... as far as I know there is no JavaScript to disable booking or viewing contents of any site. I can't program in Java and don't know if it support (or can work with) cookies. Instead of Java you can also use PHP or something like that.
You store the cookie on the target's computer.

Whenever someone connects to any of your pages, call that cookie. That cookie contains the username/password/whatever.

If that username/password/whatever equals 'logged in' (read from your database) then allow them direct access to that page.

Otherwise deny and redirect.

If the user cannot store cookies, then everytime they visit your website, they will be redirected.

Unless you explicity provide a server-side storage functionality, people are pretty much used to having to store some sort of cookie to get access back to your server.
u need to include protection on every page you dont want accessed, not just the gateway to the page you want to hide - from what you are saying - if i know the location of the "protected pages" i can just go into my browser and tye "www.somefin/page/location.htm" and i'll be there without password prompt, yes/no?

depending on your server type i think easiest form of access control would be using simple authentication with either auth-rules or htaccess files.. if you are using a programming language for dynamic content cookes/sessions is an option...
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

That's another problem. You have to determine if user is logged in or not. Maybe you could use INCLUDE to include one site if user's logged or include another one if he isn't.

Also you can use browser authorization (Basic is the most used). You don't have cookies accepted if you use it, although you have to determine if this authorization is set or not.

I think this problem will Java not handle. Try PHP. It's fast and easy.

It's fairly standard for Single Sign-on systems to use an encrypted cookie. Once decrypted, the cookie will reveal the user's identity, and some sort of expiry time. When the user connects, the web server reads the headers, and if the cookie doesn't exist, or has expired, the user is redirected to a login page. (On a Microsoft web server, this would be done with an ISAPI filter - presumably other web servers support similar APIs.) As far as HTTP is concerned, the connections are anonymous.
if you are using IIS and ASP, then just create a protected.asp page, and include it it the top of every page you want protected.

--------- begin code
if Request.cookies("Superuser").HasKeys then
username = request.Cookies("Superuser")("username")
  if lcase(username) = "daBoss"  then
    'do nothing, they are ok
  end if
  'no cookie, buh bye
end if
--------end code

If they do not have the key, they are redirected to the login page. This is pretty simple, (an example), but you get the idea.

You can set the cookie on another page by using

response.cookies("Superuser")("username") = "daBoss"
response.cookies("Superuser").Expires = Date + 10

this makes the cookie good for 10 days.

Good Luck!
If you are hosting your site using apache web server, you can turn on follow symbolic links for the directory contains html file. As i know with this setting of a directory you cannot access a file by directly entering the address of the file. Then you can direct your client from your login page...
bren2310Author Commented:
Thank you for all your responses so far. My problem is that whilst I know what I'm doing with javascript & html using perl or asp or whatever is something I'm not familiar with and am having to learn as I go along.

In response to GtG - those hosting the site do use the apache web server. Unfortunately I am using front page for most of the site and need the front page extensions installed. This effectively makes using the apache web server security options a non-starter.  

Do you / does anyone know how to make use of Front Page's ability to set up sub webs which provide similar protection.

Brendan (bren2310)
If your web server provider allows you to create a private directory not accessible directly from the web server which contains the website (as in, no virtual directory points to it), then you could put a CGI script in a directory accessible by the web server that asks for basic authentication.  If the username and password matches a predefined pair (such as in a database), set a cookie, read in the default file from the private directory, and send it to the user.  All subsequent file requests would be sent through the CGI script, the CGI script will check for a valid cookie, and once the cookie has been validated, read the specified file from the private directory and send it to the user.  This way, the only way the public can access the files in the private directory is through basic authentication and cookies given to the public CGI script.
As a side note to my comment, the nice thing about that setup is that even if the client doesn't support cookies, they can at least view files in the private directory as long as the web browser stays open, as it re-submits the basic authentication information when required for the private files.  When the browser is closed, if the user wants to access the private files again, they have to re-enter the authentication information, or, if they have a cookie set with the authentication information, the cookie can bypass the need for the basic authentication.  If you searched google for keywords such as "basic authentication http 401 www-authenticate", and the CGI scripting language you're using, you could probably find some good examples.  

This is how I personally protect a web site not meant for the general public.

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now